Signed Java Web Start applications and applets that contain signed and unsigned components could potentially be unsafe unless the mixed code was intended by the application vendor. As of release 1.6.0 update 19, when mixed code is detected in a program, a warning dialog is raised. Mixing Signed and Unsigned Code explains this warning dialog and options that the user, system administrator, developer, and deployer have to manage it.

The libraries iaik_jce_me4se.jar and commons-logging.jar are now signed with A-SIT (VeriSign code signing) certificate (same as BKUApplet.jar)